If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below. ** If you are logged in, most ads will not be displayed. **

ssh keygen; asking for password

I am setting up a server so "userA" is using keys from "serverA" to access "serverB, userB".

I created keys using "ssh-keygen -t rsa -f id_rsa" in /home/userA/.ssh
copy .pub file to serverB/user B/.ssh
copied contents of .pub file into the /.ssh/authorized_keys file
chmod 700 to the .ssh directories and .pub files
chmod 600 to the authorized_key file

From serverA as userA, "ssh - v userB@serverB"
the debug1 message indicates it found the key file and took it but later prompts me for "userB password: " I enter the password and the connection continues.

But after making a connection, I'm prompted to enter the password for "user B".

I've gone back and forth on this several times; reinstalling trying different type of keys (rsa, dsa, ssh), each having the same symptom of asking for the password and as you might imagine, it's getting a bit frustrating.

From serverA as userA, "ssh - v userB@serverB"
the debug1 message indicates it found the key file and took it but later prompts me for "userB password: " I enter the password and the connection continues.

But after making a connection, I'm prompted to enter the password for "user B".

I do not understand this part. Are you asked twice for the same password? Or do you want to login without a password?

I'm trying to login without password, using keys. In this instance / case; it's accepting the keys but also asking for a password.

When I ssh to the server, using " ssh - v userB@10.1.1.2" it finds and accept the key but also asks for password.

Ok. I show you how I have configured my ssh daemon in order to achieve that.
sshd on serverB (sshd_config in /etc/ssh):

Code:

# Authentication:
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
RSAAuthentication no
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts yes
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no

Of course, you have to restart sshd so that this configurations are accepted.
Then, I have generated a key by typing

Code:

ssh-keygen -t dsa

When the ssh-keygen asked me for the passphrase I just hit enter twice to indicate that I do not want any passphrase.

And as you have already described I have copied the key in the authorized_keys file in
the ~userB/.ssh/ directory.

I think the bit you missed is that you do not enter the password when generating the key. If you do you are creating a key based on that password. The idea is to create a key based on having no password.

Yes thank you, the steps you outline is what I performed on ServerA as UserA:
"ssh-keygen -t rsa -f id_rsa"
press enter twice when asked for passphrase
created two files, id_rsa and id_rsa.pub
copied id_rsa.pub to ServerB, UserB
cat contents of id_rsa.pub into authorized_keys
from ServerA "ssh -v UserB@ServerB"
it found keys, accepted
However, further along, it will ask for password

In terms of my ServerB sshd_config file, it is:

# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

Yes thank you, the steps you outline is what I performed on ServerA as UserA:
"ssh-keygen -t rsa -f id_rsa"
press enter twice when asked for passphrase
created two files, id_rsa and id_rsa.pub
copied id_rsa.pub to ServerB, UserB
cat contents of id_rsa.pub into authorized_keys
from ServerA "ssh -v UserB@ServerB"
it found keys, accepted
However, further along, it will ask for password

In terms of my ServerB sshd_config file, it is:

# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

Any thoughts?

Thanks in advance

Hi mjc,

did you try to set

Code:

PubkeyAuthentication yes
PasswordAuthentication no

in your sshd_config?

That should be the problem. If you check my setting that I have posted before, you can
find that I have marked these lines.